David Helkowski set out to be a whistle-blower. It didn't go as expected.

Share this story

Update: David Helkowski cooperated with federal authorities, and the University of Maryland and Department of Justice declined to prosecute the case. He has since moved on to other employment. Our original story follows.

David Helkowski stood waiting outside a restaurant in Towson, Maryland, fresh from a visit to the unemployment office. Recently let go from his computer consulting job after engaging in some “freelance hacking” of a client’s network, Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act.

The FBI had a slightly different take on what happened, raiding Helkowski’s home and seizing his gear. Helkowski described the event on reddit in a thread he titled, “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” Recently Ars sat down with him, hoping to get a better understanding of how this whitehat entered a world of gray. Helkowski was willing to tell practically everything—even in the middle of an ongoing investigation.

Until recently, Helkowski worked for The Canton Group, a Baltimore-based computer consulting firm serving, among other clients, the University of Maryland. Helkowski’s job title at The Canton Group was “team lead of open source solutions,” but he began to shift his concerns toward security after identifying problems on a University of Maryland server.

That transformation from developer to hacker came to a head when Helkowski decided that the vulnerabilities had gone unfixed for too long. He set out to prove a point about computer security both to the University of Maryland and to his employers. In early March 2014, working from a computer in his Parkville, Maryland home, Helkowski said that he exploited a misconfigured Web server and some poor database security in order to duplicate the results of a recent data breach that exposed the Social Security numbers and personal information for more than 300,000 current and former University of Maryland students and staff.

On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit. He then sent an anonymous e-mail to the members of the university’s newly formed security task force, telling them in no uncertain terms just how horrible their security was.

Though he claims the message was not meant to sound threatening, it included lines like, “Out of politeness I’ll give you a chance to respond directly about this to me, and I’ll consider pulling it off the public Internet...Your internal IDs are listed below to get your attention.” If the security task force wouldn’t work with him, Helkowski told them to “consider this your fair warning and last contact from me.”

Despite his use of proxy and VPN services, the FBI began asking questions around Helkowski’s workplace the very next day. On the afternoon of March 16, agents investigating the case obtained a warrant. They kicked in the door of Helkowski’s home at 7pm that night. He was not arrested during the search, but his electronics were seized, his dog was (temporarily) lost, and federal charges may well be forthcoming.

The picture Helkowski painted of the circumstances leading up to his brush with law enforcement—and the still-present possibility that he will face criminal and civil charges—bears a strong resemblance to stories of information systems projects gone wrong at other universities and institutions. It has particular resonance for the public sector, where contractors can sometimes find it easier and safer to turn a blind eye to security problems rather than disclose them.

An unlikely hacker

Helkowski looks a bit older than his 32 years, with a slight build and a few gray hairs among the wiry black ones pulled back into his ponytail. He’s clearly confident in his abilities and confident that what he’s done is morally, if not legally, right. Helkowski told Ars he would act in exactly the same way if he had to do it all again.

An avid Steam gamer and anime fan, Helkowski is also a self-described computer keyboard aficionado. At one point, he had a collection of more than 35 keyboards, starting with a Northgate OmniKey that he picked up at a yard sale for $10. When the FBI raided his house, the agents had difficulty dealing with his current preferred keyboard—a Japanese keyboard with an English alphabet that he bought in the Akihabara district of Tokyo. The characters for each key are printed on the front of the key instead of its top, and its symbols don’t properly map to US standards.

“I figured out how to make it work with Windows by going in and making Windows Registry changes,” he told me. “But now I’ve just memorized which key maps to which symbol.”

Helkowski’s travels to Japan weren’t just driven by a desire for a clicky keyboard. Helkowski’s wife, a pianist and music teacher, is from Japan. He met her while she was in the US studying at Berklee College of Music. They dated but once. A few years later, after another relationship ended, he started communicating with her over the Internet again, finding she moved back to Japan to get a degree in music therapy. He traveled to see her, and they married six years ago.

“She teaches piano to kids 3 to 12 years old, and we have two grand pianos in our living room,” he said.

Helkowski's employer at the time of the hack.

Cantongroup.com

Helkowski has been a developer for a number of Maryland tech companies, doing everything from Web scripting to hardcore C development. Before joining The Canton Group last July, he worked as a contractor for a year at T. Rowe Price. But it was his experience in dealing with ColdFusion and doing data conversion work that greased the chain of events leading to the FBI.

(In what follows, all technical details were provided by Helkowski; neither the university nor The Canton Group agreed to speak with Ars about his account.)

In November of 2013, Helkowski said, he was asked by a co-worker on The Canton Group’s team responsible for work with the Drupal Web content management system to help migrate data from a legacy ColdFusion site belonging to the University of Maryland’s School of Public Health. Using the team’s access to the server, Helkowski said he downloaded the contents of the site’s directory from the server to his work computer.

That download set off his malware scanner. Helkowski started to investigate why, and he found that one of the files on the server was a PHP script file. The code in the file had been compressed and obfuscated to hide its purpose, so Helkowski began decompressing and analyzing the code to find out just what it did.

The script turned out to be a piece of Web server malware known as C99Shell—a backdoor script that allows a remote user to execute arbitrary commands on the server, search through the file system, and upload files among other things. Because of the configuration of the server, the remote user was able to execute commands with the permissions of the Web server (httpd) user account. That included access to other University of Maryland websites, which resided in other directories on the same file system. It also came with the ability to change file permissions. “It was pretty close to root access because the user was so widely capable,” Helkowski said.

Based on its creation date in the file system, Helkowski said, the backdoor script had been on the server since 2011—meaning that the server was breached at least once over the last two years. He found another similar script not detected by the malware scanner. It appeared that the scripts were both uploaded to the site through a Web interface that allowed site users to post images to the website. The directory the upload page put files in was configured to allow PHP scripts within it to be executed by the Web server. Not good.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

149 Reader Comments

On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit. He then sent an anonymous e-mail to the members of the university’s newly formed security task force, telling them in no uncertain terms just how horrible their security was.

Uh, yeah, I wonder why some maybe think he crossed a line. Why did he post this information publicly, rather than contacting the University president, his own bosses, and engaging privately into the details of the hack and information so easily obtained? Pen testing is critical to network security. Posting private data found during pen testing to a public website ISN'T!

One of the most consistent messages I offer here is about interactions with law enforcement, and can be expressed in two words — shut up

...

In brief, the reasons to shut up are these: cops are not looking out for your best interests. Cops are looking to make, or close, a case, which they seek to do according to their cultural preconceptions. If you answer their questions, cops' evaluation of your words will be colored by their habitual assumption that you are lying.

He deserves everything he reaps. This is not how you go reporting PEN tests.

While I agree that he should probably have kept pushing official channels instead of taking matters into his own hands, the historically rather draconian sentencing in computer related crime makes me pretty sure that his punishment will go way beyond what he deserves or is reasonable in this type of offense.

[Edit]: Also, he caught the malicious script on the university web server because he downloaded it onto his home computer and his antivirus software detected the malicious code. So his home computer's AV detection capability was better than what was running on the university servers. Troubling to say the least.

He deserves everything he reaps. This is not how you go reporting PEN tests.

While I agree that he should probably have kept pushing official channels instead of taking matters into his own hands, the historically rather draconian sentencing in computer related crime makes me pretty sure that his punishment will go way beyond what he deserves or is reasonable in this type of offense.

[Edit]: Also, he caught the malicious script on the university web server because he downloaded it onto his home computer and his antivirus software detected the malicious code. So his home computer's AV detection capability was better than what was running on the university servers. Troubling to say the least.

I don't think federal prosecution is truly warranted here either. However, being fired from his job seems in line with the actions taken. Maybe even some degree of financial penalty for placing the university president's ss# on-line for all to see.

I understand the frustration of bosses and clients taking a lackadaisical attitude towards security, even after demonstrative actions showing the potential pitfalls. What you don't do is expose the type of data that this guy did. Even Snowden released his information in a redacted form to showcase what type of data was being harvested and the methods used, without releasing the actual data.

You don't do PEN testing unless you have a signed contract from the folks who run the systems saying you have the authority to do it. Even then it could, legally, be a grey area depending on the local laws.

On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit.

Me thinks David doesn't know the difference between white hat and black hat. Posting someone SSN may very well get everyone's attention, but its still releasing private and confidential information. This is why I'm not a fan of Anonymous. He should have taken his report directly to the University's President, and possibly even the feds as this may violate federal law? http://www.fas.org/sgp/crs/secrecy/RL34120.pdf

Not sure but tge reality i good intentions or not, he didn't get the information in the right hands.

It is a shame that he will find it difficult to secure employment in the IT field for the foreseeable future. That being said, he might think of marketing his services to various open-source projects and/or companies looking to secure themselves from 0-day vulnerabilities such as HeartBleed.

Was he immature and stupid in his manner of communicating the vulnerability? Yes.

Was it his business to reveal said vulnerabilities to the client without the acquiescence of his employer? No.

Did he shoot off his mouth about his "hacking" to others around him? Yes.

Did he disobey the golden rule of "hacking?" Yes.

What's that rule? Don't say shit to anybody, anytime, about anything you're "hacking", for any reason, especially to the "authorities"...period.

Consulting firms and many employers/clients are highly conservative people when it comes to the their paychecks. They can, and will, cut someone loose and let them "dangle in the wind" if it'll protect their income stream. They'll do this with little, if any, regard to the downstream consequences of the end-users that may be harmed because of their timidity. As long as they get their paycheck(s), they wash their hands of unpleasant matter(s).

This is the way of the world, especially of IT consulting, and is one of the most disturbing symptoms of the "private sector" and "entrepreneurial" sectors.

I can definitely relate to the outrage over the laise faire attitude everyone from universities to Target takes with our personal information, but this is the wrong way to save the world. The only way to get entities to take information security seriously is to charge them money if they don't. Put disincentives in place if there is a breach of sensitive personal information.

I work in the healthcare industry with patient data and let me tell you, they take HIPAA violations VERY seriously. We have training quarterly about what constitutes HIPAA violations and why they're such a big deal. We're constantly beaten over the head with what constitutes a HIPAA violation and how we should handle patient information so that it is not leaked. Why does my employer take this information security so seriously? Is it because we care so much about our members, or that deep down we're really an altruistic healthcare giant? Of course it's not: we have to pay money if we breach any patient information. It's as simple as that.

Unfortunately, in business "doing the right thing" is not on the top of the list of priorities.. making and keeping money is.

You, who claim to be so noble, intelligent, etc. just posted that SSN etc. on the internet, and believe that you can in any way just "pull it off?"

Ok. So you found a hacked box. Why on earth didn't you talk *directly* to whatever admin(s) in charge of said box(es), and politely tell them that this should be changed asap? Second, wtf were you doing wasting your time copying their data, and poking around so much, instead of, oh, I don't know, maybe doing something like *whatever it is you were hired to help them with.*

The line was crossed in many places.As for finding another job in the field, I hope that if one does work out, that you get politely taught some courtesy, respect, and work on understanding more about better ways to interact with humans. Being arrogant and then acting like you're above reproach is just a pure dick move, buddy.

As I had mentioned on the previous article, there is absolutely nothing to justify what this guy did. He was upset the issue was not remediated in two weeks? Hell, most companies, let alone a beurocratic nightmare that is a university, would not have been able to remediate that and go through all the processes required.

He fulfilled his role in informing UMD of the breach, and now it is in the university's court. And he completely invalidates any claim to the high ground, as he himself posted this sensitive information to the internet. No matter what reasoning he gives, that is obviously illegal and immoral. Malicious people could have now just obtained the SSN and committed identity fraud with it - and as a victim of identity fraud myself, this is a HUGE hassle to deal with for years to come.

I sincerely hope he does not get another job in this field - I would absolutely not trust the morals and ethics of a company that chooses to employ someone like this who felt he did nothing wrong.

I think he was overstepping his bounds by taking his work home and hacking into the school's infrastructure.

The better course of action would have been to say something along the lines of: "I think similar vulnerabilities I found may exist on other systems, I would like your permission to continue my investigation." Then demonstrate his findings.

Instead, he hacks the company without permission and then posts that data on the internet. Now, I don't think what he did was malicious, but I do think he was an idiot. People should be punished for being idiots, otherwise they'll never learn.

Edit: Based on his remarks, I really don't think he learned from this.

While I agree with the posts that Helkowski did wrong, publishing private information on the internet just isn't cool. I have a very hard time seeing past that both the Canton Group and the University were playing a game of who can stick their head into the sand deeper.

The facts remain the same:Helkowski should not have posted public information on the internet.The Canton group didn't care to report nor fix the issues.The University didn't care to request the issues to be fixed.

Failure on every level, and both the Canton group and the University are more interested in burying the issue than solving them. I highly doubt that they have even bothered to do a threat risk assessment and attempted to correct the issues (and no, I'm not going to even bother to consider checking, it is their ass not mine).

But according to Helkowski, he was soon told that his report wouldn’t actually be given to the university. This infuriated him, and he felt like the issue was being swept under the rug.

It's not his job, or place to get infuriated over things like this. If they don't listen, bring it up again formally as a concerned consultant - through official channels.

Never go full whitehat.

Well, it wasn't whitehat (authorized pen testing, reported responsibly). It wasn't even grayhat (unauthorized pen testing, reported responsibly). It was blackhat. It doesn't matter if it was done for money, or done because he's a self-righteous ass; it was unauthorized, and not reported responsibly.

Change your title Sean Gallagher, unauthorized publication of private information is full on Black Hat. It isn't even a grey area. David Helkowski violated the cardinal rule of IT security by taking it outside the organization. Additionally, posting people's private data on Reddit is completely illegal and not ethical in any way. There are professional, and correct ways to conduct this sort of business and he broke all the rules, including privacy laws. Doing this makes him a Black Hat hacker with insider information, the worst kind.

I sympathize a bit with Helkowski because I really do think that he didn't understand the severity of what he was doing. That doesn't make it right.

As I read the article I pulled out quotes from Helkowski and descriptions of his various actions. My plan was to point out his mistakes at each step of the process. But the list is just too long. Except for the few times he reports issues found during his normal course of work to his bosses, pretty much everything this guy does is wrong. If you are in IS or computer security, the correct action is generally the exact opposite of everything he has done.

Don't break in to the system from your home. Don't download passwords to cover your ass. Don't send anonymous warning letters. Don't do the thing that has the rest of your team saying, no, don't do that. Don't post SSNs to reddit. Don't admit to the FBI everything you've done. Don't talk to the press without your lawyer present.

Given all the truly, fantastically stupid things this guy has done, I am skeptical he is smart enough to discover all the security issues mentioned in TFA.

As I read the article I pulled out quotes from Helkowski and descriptions of his various actions. My plan was to point out his mistakes at each step of the process. But the list is just too long. Except for the few times he reports issues found during his normal course of work to his bosses, pretty much everything this guy does is wrong. If you are in IS or computer security, the correct action is generally the exact opposite of everything he has done.

Don't break in to the system from your home. Don't download passwords to cover your ass. Don't send anonymous warning letters. Don't do the thing that has the rest of your team saying, no, don't do that. Don't post SSNs to reddit. Don't admit to the FBI everything you've done. Don't talk to the press without your lawyer present.

Given all the truly, fantastically stupid things this guy has done, I am skeptical he is smart enough to discover all the security issues mentioned in TFA.

I wonder if maybe he is like a savant or just lacks tact. Is really good with code and really smart at his "job"--but lacking in sense.

So...it was an LDAP database? Or was the database named LDAP? I am a bit confused on that? It sounds like it was an LDAP database he was mining. Often times people use crap security with them and store PT passwords instead of even just basic hashes (we use salted hashes).

At any rate...so he "hated his employers" because they were "a bunch of idiots"...idiots with jobs, making money and stuff. Such idiocy, much stupid.

In the end he DID post data from his hack to the public internet too. Uh...so, where was there any "okay" in this. He sounds like a self righteous person in the extreme. Beyond sounding personally unlikable, I don't see where any of what he did was okay. From his employers perspective he admitted he went off job while on the clock doing things his employer was NOT paying him for, which isn't okay. Then threatened the relationship his employer had with their client.

Honestly I am suprised his employer only fired him and not sued him too...though from what I know of the Canton group, probably too small to absorb the cost of litigation till a possible win (if there was one) and possibly too small returns.

As for possible future charges...sounds like he probably should be charged at some point.

I just don't see where anything was okay. yay, he waited 2 weeks and then assumed they did nothing, went after other parts of the system and when there were vulns, he exploited them, posted PII to the internet and sent a rather threatening sounding email to the sys admins.

Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act......

.....That transformation from developer to hacker came to a head when Helkowski decided that the vulnerabilities had gone unfixed for too long. He set out to prove a point about computer security both to the University of Maryland and to his employers. In early March 2014, working from a computer in his Parkville, Maryland home, Helkowski said that he exploited a misconfigured Web server and some poor database security in order to duplicate the results of a recent data breach that exposed the Social Security numbers and personal information for more than 300,000 current and former University of Maryland students and staff.

Sorry ARS !! But once he crossed that line he IS NO LONGER WHITEHAT !!

ARS bullshit title grabs. Be accurate not sensationalist. You start this crap out like he's a hero / angel. The Maryland hacks were national news - if it's NOT his job to handle security for the University then he should have left it the fuck alone. Report his concerns to the proper people either within his company OR at the University. The End.

Now he's blackhat and being brought up on serious federal charges because his OCD kicked in. Fucking adults are no better than kids with tempter-tantrums tah can't leave other people's shit alone. Reminds me of my 4-year old niece that can't stop touchy stuff ina store after I've told her 50 times to leave it alone.

No ounce of sympathy for this moron.

I hope he gets prosecuted and this should be a lesson to the other OCD morons out there that are trying to "do good" --- there are ways to go about it and there ways to NOT go about it - if you have enough brains to know there is a flaw in someone's system then you should have enough brains to not fuck with it if they don't adhere your observations.

It Is Not Your Problem - Unless You Are Diectly Affected By It - In Which Case You Bring That Shit To A President's or Board's Attention.

This is the same thing as telling a bank their vault is not secure then taking it upon yourself to "prove it" due to your OCD that the bank has not secured the vault then expecting to not goto jail.

I did actually feel a bit bad for this guy... but only because I didn't realize how he disclosed the SSN. I thought from the last article that he just emailed it to them. That was definitely crossing the line.

So...it was an LDAP database? Or was the database named LDAP? I am a bit confused on that? It sounds like it was an LDAP database he was mining. Often times people use crap security with them and store PT passwords instead of even just basic hashes (we use salted hashes).

At any rate...so he "hated his employers" because they were "a bunch of idiots"...idiots with jobs, making money and stuff. Such idiocy, much stupid.

In the end he DID post data from his hack to the public internet too. Uh...so, where was there any "okay" in this. He sounds like a self righteous person in the extreme. Beyond sounding personally unlikable, I don't see where any of what he did was okay. From his employers perspective he admitted he went off job while on the clock doing things his employer was NOT paying him for, which isn't okay. Then threatened the relationship his employer had with their client.

Honestly I am suprised his employer only fired him and not sued him too...though from what I know of the Canton group, probably too small to absorb the cost of litigation till a possible win (if there was one) and possibly too small returns.

As for possible future charges...sounds like he probably should be charged at some point.

I just don't see where anything was okay. yay, he waited 2 weeks and then assumed they did nothing, went after other parts of the system and when there were vulns, he exploited them, posted PII to the internet and sent a rather threatening sounding email to the sys admins.

If I understood it correctly, the "LDAP" directory was actually not an official directory and sounded like a dump of the information a hacker had made.

Edit: Adding quote from article.

Quote:

“They said, ‘We don't know what this is, we don't know where it came from.’ Apparently it's some sort of mirror that someone created for some other application—it wasn't the live directory,”

While I agree with the posts that Helkowski did wrong, publishing private information on the internet just isn't cool. I have a very hard time seeing past that both the Canton Group and the University were playing a game of who can stick their head into the sand deeper.

The facts remain the same:Helkowski should not have posted public information on the internet.The Canton group didn't care to report nor fix the issues.The University didn't care to request the issues to be fixed.

Failure on every level, and both the Canton group and the University are more interested in burying the issue than solving them. I highly doubt that they have even bothered to do a threat risk assessment and attempted to correct the issues (and no, I'm not going to even bother to consider checking, it is their ass not mine).

Its unclear and doesn't sound like the Canton group had any area of responsibility to UMD for system security. It doesn't sound like they were being contracted for anything like that.

UMD very well might have been attempting to fix the issue and/or did. If you read the article it makes mention of the fact that after 2 weeks (this isn't a single person, small group or modest organization, this is a large university, for better or worse, this crap takes time) he poked around and found DIFFERENT vulns to what he found and reported before, so he exploited them, dumped the data, posted one piece and sent a vaguely threatening sounding email to the UMD system admins.

UMD didn't entirely sound like they were putting their heads in the sand. How long do you propose it would take to rearch an LDAP and the systems that connect to it to change from plain text to hashed passwords, oh and made sure it all worked? 2 hours? A day? I'd think to do due dilligence it might well take a few weeks of testing and work before you possibly knock out a bunch of university systems...like admissions, payroll, etc.

Demonstrating once again that expertise in one area doesn't mean you have a lick of common sense. I was a little sympathetic to him based on the previous article, but posting the president's personal info online was inexcusable. Sending personal info to the individuals is bold to the point of stupidity, but posting it online is immoral and just asinine. What did he think would occur? It just doesn't make sense for a rational adult.

But according to Helkowski, he was soon told that his report wouldn’t actually be given to the university. This infuriated him, and he felt like the issue was being swept under the rug.

It's not his job, or place to get infuriated over things like this. If they don't listen, bring it up again formally as a concerned consultant - through official channels.

Never go full whitehat.

Well, it wasn't whitehat (authorized pen testing, reported responsibly). It wasn't even grayhat (unauthorized pen testing, reported responsibly). It was blackhat. It doesn't matter if it was done for money, or done because he's a self-righteous ass; it was unauthorized, and not reported responsibly.

This should be nominated for Editor's Pick. This guy broke the whitehat rules (which have little to do with intention and everything to do with protocol).

Step 1) Students and employees sue the university and the individuals responsible for not having sufficient security even after they were made aware that there were major security issues.Step 2) University sues The Canton Group for not disclosing issues before the data breach.Step 3) This guy sues The Canton Group for firing himStep 4) Lawyers get PAID

Helkowski made some profoundly foolish decisions, but anyone that has had the slightest exposure to IT should immediately understand his frustrations.

I wish him well and hope he is not subjected to the vicious meat-grinder that is federal prosecution.

Of course he's frustrated, but he took it too far. He went to breaking the law to get what he wanted to happen.

I'm OK with someone breaking a law for a noble cause - especially if they're willing to risk the consequences (eg. American Revolution). Posting a person's confidential information on Reddit is way off in a whole nuther direction though. The guy was either doing it with malice, or he's ungodly stupid. His choice of target was horrible. Nobody expects a university president to be on top of network security.

All the other stuff he did, I can agree with, but posting the SSN on the internet? wtf?

He could have just sent the last 4 digits in an email as proof that it can be hacked, and if they want further proof, use a more secure method of communication to show that he was able to access the full number.

If I was in a situation where I was able to access someone's personal info like that I'm not sure if I'd be scared to report it because of possible trouble or if I'd report it to them, but I wouldn't post it on the internet for any reason because then I'd surely get in trouble if anyone found out it was me.

As I read the article I pulled out quotes from Helkowski and descriptions of his various actions. My plan was to point out his mistakes at each step of the process. But the list is just too long. Except for the few times he reports issues found during his normal course of work to his bosses, pretty much everything this guy does is wrong. If you are in IS or computer security, the correct action is generally the exact opposite of everything he has done.

I wonder if maybe he is like a savant or just lacks tact. Is really good with code and really smart at his "job"--but lacking in sense.

Your description of this guy sounds like about a third of the folks I have worked with in IT. I used to think it was a good thing that the socially awkward have found a home in IT where they won't be judged for their foibles in the work place. Now? Not so sure.

One of the most consistent messages I offer here is about interactions with law enforcement, and can be expressed in two words — shut up

...

In brief, the reasons to shut up are these: cops are not looking out for your best interests. Cops are looking to make, or close, a case, which they seek to do according to their cultural preconceptions. If you answer their questions, cops' evaluation of your words will be colored by their habitual assumption that you are lying.

If he doesn't regret posting private info for the public to see, then it's best that he not work in his chosen field. If he emailed the individuals with their exposed data that would probably have gotten the attention required, making it public was just stupid no matter how you slice it.